Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: curl/libssh2 ssh-rsa issue
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: João M. S. Silva via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 12 Jun 2023 15:53:54 +0100
I believe there is still some issue with the latest releases of
curl+libssh2 related to SHA1 vs SHA2.
If I build libssh2 like this:
-DLIBSSH2_NO_RSA_SHA1 -DLIBSSH2_NO_DSA -DLIBSSH2_NO_RC4 -DLIBSSH2_NO_CAST
-DLIBSSH2_NO_3DES -DLIBSSH2_NO_MD5
curl cannot negotiate keys:
* Set "rsa-sha2-256,rsa-sha2-512,ssh-rsa" as SSH hostkey type
* Failure establishing ssh session: -8, Unable to exchange encryption keys
I then tried to add -DLIBSSH2_RSA_SHA2 but the result was the same.
It only works if I enable SHA1 with -DLIBSSH2_RSA_SHA1.
Even though the negotiation occurs with the available SHA2 key, SHA1 is
still allowed by libssh2, which is a problem.
João M. S. Silva
On Fri, Jun 2, 2023 at 5:40 PM João M. S. Silva <
joao.m.santos.silva_at_gmail.com> wrote:
> With the new libssh2.c file and #define CURL_LIBSSH2_DEBUG I now get:
>
> [libssh2] 0.196745 Key Ex: Server's SHA1 Fingerprint:
> 10:04:1a:f5:f3:5b:bd:2f:f1:fc:30:9f:2f:ab:74:12:4d:03:de:72
> [libssh2] 0.196788 Key Ex: Server's SHA256 Fingerprint:
> SZOJVBXkEDqeNo0+xKDHRjdWLfdxXyOTmizRGj34x3M=
> [libssh2] 0.196804 Failure Event: unexpected rsa type: ssh-rsa
> [libssh2] 0.196806 Failure Event: -10 - Unable to initialize hostkey
> importer ECDH
> [libssh2] 0.196814 Failure Event: -8 - Unrecoverable error exchanging keys
> [libssh2] 0.196816 Failure Event: -8 - Unable to exchange encryption keys
> * Failure establishing ssh session: -8, Unable to exchange encryption keys
> * SFTP 0x557495c6fa28 state change from SSH_S_STARTUP to SSH_SESSION_FREE
> [libssh2] 0.196863 Transport: Freeing session resource
> [libssh2] 0.196865 Transport: Extra packets left 0
> * SFTP 0x557495c6fa28 state change from SSH_SESSION_FREE to SSH_STOP
> * multi_done: status: 2 prem: 1 done: 0
> ^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> ^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> * multi_done, not re-using connection=0, forbid=0, close=1, premature=1,
> conn_multiplex=0
> * The cache now contains 0 members
> * Curl_disconnect(conn #0, dead=1)
> * SSH DISCONNECT starts now
> * SSH DISCONNECT is done
> * Closing connection 0
> * Expire cleared (transfer 0x557495cb7648)
> curl: (2) Failure establishing ssh session: -8, Unable to exchange
> encryption keys
>
> On Fri, Jun 2, 2023 at 5:10 PM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
>> On Fri, 2 Jun 2023, João M. S. Silva via curl-users wrote:
>>
>> > $ curl -vvvvvv -T A sftp://127.0.0.1//home/shared/B -u x:y
>>
>> curl's -v option is binary. Using more than one doesn't do anything more.
>>
>> > * Expire cleared (transfer 0x55e16c7a5638)
>> > curl: (79) Error in the SSH layer
>>
>> ...
>>
>> > Is there a way, without writing custom code, to make curl/libssh2
>> output the
>> > specific reason for failure?
>>
>> I consider it a bug that it doesn't say more. It really should, as that
>> is
>> almost tauntingly brief and non-helpful.
>>
>> It seems to be related to the setting of the host key type though since
>> that's
>> what it shows immediately before the error.
>>
>> Do you think there is a risk that your test run maybe accidentally used
>> an
>> older libssh2 install?
>>
>> Also, if you can, try this patch on top of your curl to maybe get a
>> (better)
>> error message: https://github.com/curl/curl/pull/11240
>>
>> --
>>
>> / daniel.haxx.se
>> | Commercial curl support up to 24x7 is available!
>> | Private help, bug fixes, support, ports, new features
>> | https://curl.se/support.html
>
>
Date: Mon, 12 Jun 2023 15:53:54 +0100
I believe there is still some issue with the latest releases of
curl+libssh2 related to SHA1 vs SHA2.
If I build libssh2 like this:
-DLIBSSH2_NO_RSA_SHA1 -DLIBSSH2_NO_DSA -DLIBSSH2_NO_RC4 -DLIBSSH2_NO_CAST
-DLIBSSH2_NO_3DES -DLIBSSH2_NO_MD5
curl cannot negotiate keys:
* Set "rsa-sha2-256,rsa-sha2-512,ssh-rsa" as SSH hostkey type
* Failure establishing ssh session: -8, Unable to exchange encryption keys
I then tried to add -DLIBSSH2_RSA_SHA2 but the result was the same.
It only works if I enable SHA1 with -DLIBSSH2_RSA_SHA1.
Even though the negotiation occurs with the available SHA2 key, SHA1 is
still allowed by libssh2, which is a problem.
João M. S. Silva
On Fri, Jun 2, 2023 at 5:40 PM João M. S. Silva <
joao.m.santos.silva_at_gmail.com> wrote:
> With the new libssh2.c file and #define CURL_LIBSSH2_DEBUG I now get:
>
> [libssh2] 0.196745 Key Ex: Server's SHA1 Fingerprint:
> 10:04:1a:f5:f3:5b:bd:2f:f1:fc:30:9f:2f:ab:74:12:4d:03:de:72
> [libssh2] 0.196788 Key Ex: Server's SHA256 Fingerprint:
> SZOJVBXkEDqeNo0+xKDHRjdWLfdxXyOTmizRGj34x3M=
> [libssh2] 0.196804 Failure Event: unexpected rsa type: ssh-rsa
> [libssh2] 0.196806 Failure Event: -10 - Unable to initialize hostkey
> importer ECDH
> [libssh2] 0.196814 Failure Event: -8 - Unrecoverable error exchanging keys
> [libssh2] 0.196816 Failure Event: -8 - Unable to exchange encryption keys
> * Failure establishing ssh session: -8, Unable to exchange encryption keys
> * SFTP 0x557495c6fa28 state change from SSH_S_STARTUP to SSH_SESSION_FREE
> [libssh2] 0.196863 Transport: Freeing session resource
> [libssh2] 0.196865 Transport: Extra packets left 0
> * SFTP 0x557495c6fa28 state change from SSH_SESSION_FREE to SSH_STOP
> * multi_done: status: 2 prem: 1 done: 0
> ^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> ^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> * multi_done, not re-using connection=0, forbid=0, close=1, premature=1,
> conn_multiplex=0
> * The cache now contains 0 members
> * Curl_disconnect(conn #0, dead=1)
> * SSH DISCONNECT starts now
> * SSH DISCONNECT is done
> * Closing connection 0
> * Expire cleared (transfer 0x557495cb7648)
> curl: (2) Failure establishing ssh session: -8, Unable to exchange
> encryption keys
>
> On Fri, Jun 2, 2023 at 5:10 PM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
>> On Fri, 2 Jun 2023, João M. S. Silva via curl-users wrote:
>>
>> > $ curl -vvvvvv -T A sftp://127.0.0.1//home/shared/B -u x:y
>>
>> curl's -v option is binary. Using more than one doesn't do anything more.
>>
>> > * Expire cleared (transfer 0x55e16c7a5638)
>> > curl: (79) Error in the SSH layer
>>
>> ...
>>
>> > Is there a way, without writing custom code, to make curl/libssh2
>> output the
>> > specific reason for failure?
>>
>> I consider it a bug that it doesn't say more. It really should, as that
>> is
>> almost tauntingly brief and non-helpful.
>>
>> It seems to be related to the setting of the host key type though since
>> that's
>> what it shows immediately before the error.
>>
>> Do you think there is a risk that your test run maybe accidentally used
>> an
>> older libssh2 install?
>>
>> Also, if you can, try this patch on top of your curl to maybe get a
>> (better)
>> error message: https://github.com/curl/curl/pull/11240
>>
>> --
>>
>> / daniel.haxx.se
>> | Commercial curl support up to 24x7 is available!
>> | Private help, bug fixes, support, ports, new features
>> | https://curl.se/support.html
>
>
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-06-12